OMB No: 0920-0794
CONFIDENTIALITY SECURITY STATEMENT FOR SURVEILLANCE OF ACQUIRED IMMUNODEFICIENCY SYNDROME (AIDS) AND INFECTION WITH HUMAN IMMUNODEFICIENCY VIRUS (HIV) AND SURVEILLANCE-RELATED DATA (INCLUDING SURVEILLANCE INFORMATION, CASE INVESTIGATIONS AND SUPPLEMENTAL SURVEILLANCE PROJECTS, RESEARCH ACTIVITIES AND EVALUATIONS)
The HIV Incidence and Case Surveillance Branch (HICSB) and the Behavioral and Clinical Surveillance Branch (BCSB), formerly known as the Surveillance Branch, in the Division of HIV/AIDS Prevention - Surveillance & Epidemiology (DHAP-SE), National Center for HIV/STD/TB Prevention (NCHSTP) have received an extension of a 308(d) Assurance of Confidentiality protection for data collected through surveillance activities entitled “Surveillance of Acquired Immunodeficiency Syndrome (AIDS) and Human Immunodeficiency Virus (HIV) and Surveillance-related Data (including surveillance information, case investigations, and supplemental surveillance projects, research activities, and evaluations)” and conducted under cooperative agreements with state, city and Territorial health departments. This extension expires March 31, 2006. Because of this Assurance of Confidentiality, documents and files which contain patient-level information on persons reported as having HIV infection or AIDS or as exposed to HIV-infection in the case of infants born to HIV-infected mothers, or individual-level data from surveillance surveys, case investigations, and evaluation studies, are considered confidential materials and are safeguarded to the greatest extent possible. The confidentiality of HIV/AIDS Surveillance program data collected at the local and state levels is protected under state/Territorial law, rule, or regulation. Although patient and physician names, addresses, phone numbers, or other directly identifying information, are not routinely reported to CDC by health departments, HIV/AIDS surveillance case reports and other surveillance-related study data are highly sensitive, and may have the potential to indirectly identify infected individuals. Therefore, these HIV/AIDS surveillance and related data have 308(d) protection, and the security requirement is rated as high.
It is the professional, ethical and legal responsibility of each DHAP-SE HICSB, BCSB, and Statistics and Data Management Branch (SDMB) permanent employee, their contractors, guest researchers, fellows, visiting scientists, research interns and graduate students who participate in activities jointly approved by CDC and the sponsoring academic institution, and the like, who are granted access to data from HIV/AIDS Surveillance program activities to protect the right to confidentiality of all persons reported as having HIV/AIDS or participating in CDC-sponsored surveys, investigations, or studies related to HIV/AIDS surveillance. This document describes the procedures and practices that DHAP-SE intends to use to protect the confidentiality of the data collected as part of the HIV/AIDS Surveillance program, whether it is sponsored by HICSB or BCSB.
Portions of the data analysis and programming work which support this project are performed under contract. Therefore, we have included reference to contractors in the Assurance of Confidentiality Statement and this Confidentiality Security Statement. The Procurement and Grants Office has included appropriate 308(d) clauses in the contracts and has obtained the required 308(d) confidentiality pledges from all contractor employees associated with the projects and activities. All contractor staff undergo limited background investigations prior to performing any work at CDC.
Authorized staff of the DHAP-SE HICSB, BCSB, and SDMB, their contract staff and other authorized agents (e.g. laboratory personnel in NCID, data management personnel in NCHSTP or IRMO) are required to maintain and protect at all times the confidentiality of records that may come into their presence and under their control. In particular, they may not discuss, reveal, present, or confirm to external parties information on, or characteristics of, individual cases, or small numbers of cases, in any manner that could directly or indirectly identify any individual on whom a record is maintained by an HIV/AIDS Surveillance program. To assure that they are aware of this responsibility and the penalties for failing to comply, each DHAP-SE HICSB, BCSB, and SDMB staff member who is granted access to surveillance records or related files, their contract staff and other authorized agents, as well as staff who support the local area network (LAN) and/or mainframe computers which contain such data, will be required to read and sign a Nondisclosure Agreement (CDC 0.979), assuring that all information in HIV/AIDS Surveillance program records and related files will be kept confidential and will be used only for epidemiologic or statistical purposes. When the extension of the Assurance of Confidentiality is obtained, staff working on surveillance program activities will be required to attend a training session at which the confidentiality procedures for the program activities will be discussed in greater detail by the CDC Confidentiality Officer, a representative of the Office of General Counsel, and the Chiefs of the HIV Incidence and Case Surveillance Branch, the Behavioral and Clinical Surveillance Branch, and the Statistics and Data Management Branch or their designees. Signed agreements will be obtained at this time from each staff person who is authorized to access HIV/AIDS surveillance records. Thereafter, confidentiality training shall be conducted annually and participation in such training shall be mandatory for all persons granted access to surveillance program records and related files; HICSB, BCSB, and SDMB staff, their contractors and other authorized agents shall be required to sign confidentiality agreements on an annual basis, at the time of their annual performance review. It shall be the responsibility of the Technical and Business Stewards to provide for interim training and obtaining signed authorizations from employees, contractors, and other authorized individuals who are granted access to HIV/AIDS surveillance records prior to the next annual confidentiality training session. .
The Business Steward for HIV/AIDS Surveillance program activities is the Chief, HIV Incidence and Case Surveillance Branch, DHAP-SE (Dr. Matthew McKenna); alternate is the Deputy Chief, HIV Incidence and Case Surveillance Branch, DHAP-SE (Debra Hayes-Hughes). The Business Steward for Behavioral and Clinical Surveillance program activities is the Chief, Behavioral and Clinical Surveillance Branch, DHAP-SE (Dr. Patrick Sullivan); alternate is Deputy Chief, Behavioral and Clinical Surveillance Branch, DHAP-SE (Ken Bell). The Technical Steward will be the Assistant Chief for Informatics, HIV Incidence and Case Surveillance Branch (Sam Costa), alternate is the Chief, Statistics and Data Management Branch, DHAP-SE (Dr. Timothy Green (acting)).
In Attachment 1 is the Nondisclosure Agreement that all staff participating in HIV/AIDS surveillance program activities will sign. The originals will be retained by HICSB or BCSB DHAP-SE, with copies at the Management Analysis and Services Office (MASO). In Attachment 2 are the “Request for access to the HIV/AIDS reporting system (HARS) and other Surveillance databases” and the “Agreement to abide by restrictions on release of surveillance data collected and maintained by the Division of HIV/AIDS Prevention - Surveillance and Epidemiology” both of which must be signed by all HICSB, BCSB, and SDMB staff, their contractors and other authorized agents who are granted access to records, files and databases containing information from HIV/AIDS surveillance case reports. The provisions of Attachment 2 have been negotiated between CDC, the Council of State and Territorial Epidemiologists, and individual state/Territorial health departments. The originals will be retained by HICSB or BCSB DHAP-SE with copies at MASO. In Attachment 3 is the Contractor’s Pledge of Confidentiality entitled “Safeguards for individuals and establishments against invasions of privacy.” Contracts needed to support HIV/AIDS surveillance program activities contain 308(d) clauses, and all contractor employees with access to the data are required to sign this contractor pledge. Originals of these documents will be retained by PGO with copies on file with the Technical Steward, DHAP-SE and MASO.
Restrictions on Use of Information and Safeguarding Measures:
Information collected in the course of conducting HIV/AIDS Surveillance program activities will be used only for epidemiologic or statistical purposes and shall not otherwise be divulged or made known in any manner that could result in the direct or indirect identification of any individual on whom a record is maintained.
Except in rare and unusual circumstances, records or data containing names or other personally identifying information for individual patients will not be received by DHAP-SE on any records from HIV/AIDS surveillance program activities. Although data collection forms that CDC provides to HIV/AIDS surveillance cooperative agreement recipients to use in HIV/AIDS case reporting or CDC-sponsored surveillance projects or activities may enable the collection of personal identifiers at the local, State, or Territorial level, these identifiers will be removed before transmittal to DHAP-SE.
In unusual circumstances, such as investigations of cases involving rare or unusual modes of HIV transmission or potential threats to public health (e.g. unusual strains of HIV that may be undetected through routine screening of the blood supply) in which expert CDC staff participate with local/state/Territorial health department staff at their invitation, CDC staff may retain records with information that identifies patients, physicians or other health care providers, laboratory personnel and other records necessary to the conduct of the epidemiologic investigation. Such records require additional protection, and may not be retained at employee workstations but must be maintained in a locked file cabinet in a locked room which is secured by restricted access. In all circumstances, only the minimum identifying information necessary to the conduct of the investigation shall be maintained. Disclosure of identifying information from such investigations is prohibited, except as provided in the Assurance of Confidentiality.
Data collection forms will contain only state assigned patient identification numbers and may contain soundex codes generated from patient surnames, or other state-assigned codes. However, because these are 308(d) protected data, they will be transmitted to CDC in a secure and confidential manner. Hard copies of data collection forms may only be transmitted to CDC staff of DHAP-SE if identifying information has been stripped and records placed in sealed envelopes marked “confidential.” Following data entry and verification, as soon as feasible such hard copies should be shredded or destroyed. Electronic data are transmitted via modem, as e-mail attachments, or via diskette using couriers which can track shipments and which require authorized signatures for delivery. All data transmissions are automatically encrypted by software that generates the transfer files after automatically deleting patient and physician identifiers.
DHAP-SE HICSB, BCSB, and SDMB staff, their contractors and other authorized agents are responsible for protecting all confidential records containing information that could potentially identify, directly or indirectly, any person on whom a record is maintained, from eye observation, from theft, or from accidental loss or misplacement due to carelessness. All reasonable precautions will be taken to protect confidential surveillance data.
All contractor personnel will receive project-specific training in confidentiality procedures, in addition to the training and background investigations they must receive/undergo prior to being hired by the contractor. All contractors and their records must be maintained in a physically secure environment with appropriate oversight by the technical monitor.
If a local/state/territorial health department inadvertently fails to remove personal identifiers of individual patients, their family members or sexual or drug-using partners, or health care providers before forwarding hard copy forms to DHAP-SE, or incorrectly enters such identifying data into comments fields, DHAP-SE staff will immediately delete the identifiers, and remind health department personnel of the appropriate procedures to follow to delete such identifiers prior to transmitting records and forms to CDC.
Except as needed for operational purposes, photocopies of confidential records are not to be made. If photocopies are necessary, care should be taken that all copies and originals are recovered from the copy machines and work areas. Correspondence containing sensitive information, e.g., regarding an epidemiologic case investigation, shall be maintained in a locked file cabinet. All confidential paper records will be destroyed as soon as operational requirements permit by shredding the documents.
X E-mail, memoranda, reports, publications, slides, and presentations that contain data collected through HIV/AIDS surveillance program activities shall not contain data or information that could directly or indirectly identify any person on whom a record is maintained by CDC. In particular, specifics of case investigations, or specific geographic identifying information is highly sensitive material. It shall be the responsibility of each DHAP-SE HICSB, BCSB, or SDMB staff member, their contractors or other authorized agents who are granted access to sensitive surveillance information to safeguard such data. Only the minimum information necessary to conduct the CDC staff member’s or contractor’s specific job-related duties shall be accessed. Telephone conversations with local/State/Territorial health department personnel that include discussions of sensitive information shall be conducted discreetly, preferably in private walled offices.
Enhanced Protection of Computerized Files:
All data will be protected in confidential computer files. The following safeguards are implemented to protect HIV/AIDS Surveillance files so that the accuracy and the confidentiality of the data can be maintained:
Computer files containing programs, documents, or confidential data will be stored in computer systems that are protected from accidental alteration and unauthorized access. Computer files will be protected by password systems, access controls which can be audited, virus detection procedures, and routine backup procedures. Data stored at state and local health departments using CDC-supplied software designed to manage data for surveillance program activities are protected by security requirements that each grantee must certify it complies with before any cooperative agreements can be awarded; the software ensures that the data transmitted to CDC will be in a format that is compatible with the security and confidentiality requirements of the HIV/AIDS surveillance databases maintained by CDC.
The DHAP-SE local area network (LAN) and mainframe computers maintained by CDC’s Information Management Resource Office (IRMO) comply with several Federal policies, statutes, regulations, and other directives for the collection, maintenance, use, and dissemination of data, including the Department of Health and Human Services Automated Information Systems Security Program and the Computer Security Act of 1987 (Public Law 100-235). Additionally, the LAN is in compliance with CDC's IRMO ADP Security Policy. The DHAP-SE LAN currently operates under Novell NetWare. Security features implemented include user ID and password protection, mandatory password changes; limited logins; user rights/file attribute restrictions and virus protection.
Data will be entered into computer files by staff at state and local health departments and transmitted electronically via encrypted files to DHAP-SE SDMB staff for uploading into the division’s LAN. A portion of the upload process resides on CDC’s mainframe computers. DHAP-SE employees or contractors, and any IRMO or other CDC employees or contractors who service or maintain the systems or components necessary to support data management of HIV/AIDS surveillance program files, will be granted access to the files only upon express written approval by a Business Steward (Chief, HICSB or BCSB). The list of authorized users will be maintained by the LAN administrator, and the Technical and Business Stewards who will review the list on at least an annual basis to delete persons no longer needing access. Access is removed when staff no longer require it by notification to the LAN administrator by the Technical or Business Stewards.
Backup copies of LAN data will be made by the LAN tape backup system; data on mainframe computers is backed up by the mainframe backup system. Backup services for both sets of backups are provided under a separate CDC-wide contract. Contractor facilities and staff are subject to the same Federal policies, statutes, regulations, and other directives, as well as to departmental and CDC security policies, which apply to CDC mainframe and LAN computers and staff. Access to LAN backup tapes is restricted to three DHAP-SE staff (the LAN administrator, Network administrator, computer help-desk coordinator). Contractors are prohibited from any access to backup tapes without written permission from the Business or Technical Stewards.
Dissemination of Data from HIV/AIDS Surveillance program activities
State and local health departments receive confirmation of their transmittals of data to CDC. DHAP-SE HICSB, BCSB, and SDMB staff are responsible for timely dissemination of aggregate data at the national level, consistent with the data release policies described in Attachment A2. Data will generally be reported only in aggregate form as summary statistics including restrictions on small cell sizes and geographic identifiers; such statistics could not be used to indirectly identify an individual. Modes of disseminating data include reports, articles in the MMWR, publications, public use slide sets, and public use data sets. DHAP-SE HICSB, BCSB, and SDMB staff may provide data in response to special requests from Congress, the Department of HHS, other government agencies, and other programs within CDC on a priority basis with the approval of the Director, DHAP-SE or the Business or Technical Stewards.
Data may also be analyzed and disseminated by external collaborators and their contracted agents with appropriate authorization and in collaboration with CDC DHAP-SE Branches. External collaborators are those with whom DHAP-SE has existing cooperative agreements or contracts involving the collection or analysis of this surveillance data. Requests for such access to the data and subsequent analysis and dissemination must be made according to the procedures outlined in Attachment 2b of the Security Statement.
In limited circumstances, restricted data sets could be made available to external researchers with approval of the appropriate branch chief, and each relevant project area contributing data to the project. These requests would also be subject to the procedures outlined in Attachment 2b of the Security Statement.
Records Disposition for the National Archives and Records Administration
Records that are determined to be permanently valuable are sent to the National Archives and Records Administration (NARA). Transfers of such records and files will be done in accordance with the May 1996 agreement stating that CDC will transfer to NARA all permanent data sets in accordance with approved schedules contained in part IV of the CDC Records Control Schedule B-321, with the exception of identifying information collected under an Assurance of Confidentiality agreement as specified under the Public Health Service Act, Sections 301(d) and 308(d)
Confidentiality Security Statement Attachment 1
NONDISCLOSURE AGREEMENT
(308(d) Assurance of Confidentiality for CDC/DHAP-SE Employees)
The success of CDC’s operations depends upon the voluntary cooperation of States, of establishments, and of individuals who provide the information required by CDC programs under an assurance that such information will be kept confidential and be used only for epidemiological or statistical purposes.
When confidentiality is authorized, CDC operates under the restrictions of Section 308(d) of the Public Health Service Act which provides in summary that no information obtained in the course of its activities may be used for any purpose other than the purpose for which it was supplied, and that such information may not be published or released in a manner in which the establishment or person supplying the information or described in it is identifiable unless such establishment or person has consented.
“I am aware that unauthorized disclosure of confidential information is punishable under Title 18, Section 1905 of the U.S. Code, which reads:
‘Whoever, being an officer or employee of the United States or of any department or agency thereof, publishes, divulges, discloses, or makes known in any manner or to any extent not authorized by law any information coming to him in the course of his employment or official duties or by reason of any examination or investigation made by, or return, report or record made to or filed with, such department or agency or officer or employee thereof, which information concerns or relates to the trade secrets, processes, operations, style of work, or apparatus, or to the identity, confidential statistical data, amount or source of any income, profits, losses, or expenditures of any person, firm, partnership, corporation, or association; or permits any income return or copy thereof or any book containing any abstract or particulars thereof to be seen or examined by any person except as provided by law; shall be fined not more than $1,000, or imprisoned not more than one year, or both; and shall be removed from office or employment.’
“I understand that unauthorized disclosure of confidential information is also punishable under the Privacy Act of 1974, Subsection 552a (I) (1), which reads:
‘Any officer or employee of any agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.’
“My signature below indicates that I have read, understood, and agreed to comply with the above statements.”
________________________ __________________________ ________________
Typed/Printed Name Signature Date
________________________
Center/Institute/Office
CDC 0.979 5-83 Rev. December 2003
Confidentiality Security Statement Attachment 2a
CENTERS FOR DISEASE CONTROL AND PREVENTION
National Center for HIV, STD, TB Prevention
Division of HIV/AIDS - Surveillance and Epidemiology
Request for Access to HIV/AIDS Reporting System (HARS) and
Other Surveillance Databases
Name: ______________________________ User ID: _______________
Date of Request:_______________________ CIO/Div/Br: _____________
Type of Access Required: _____ RF (Read, File Scan)
_____ RWCMF (Read, Write, Create, Erase, Modify, File Scan)
Access Requested until ______________ (date)
Justification for Access:
Supervisory Certification:
I certify that it is a necessary part of the above staff member’s official duties to have access to the HARS and related Surveillance databases. I have advised this employee of the confidentiality of these data and have attached a signed “Agreement to Abide by Restrictions on Release of Data”.
_______________________________
Section Chief’s Signature
Approval:
________________________________________
Chief, (HICSB/BCSB), DHAP-SE or designee
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
For HICSB or BCSB Use Only (retain signed copies of “Request for access...” and “Agreement to abide by restrictions...” forms and copies of emails to helpdesk.
Email to helpdesk requesting access sent on ___________ (date) by ____________
Email to helpdesk deleting access sent on ______________ (date) by ___________
Agreement to abide by restrictions on release of surveillance data collected and maintained by the Division of HIV/AIDS Prevention - Surveillance and Epidemiology
I, ___________________________, understand that data collected by CDC through the HIV/AIDS surveillance system and related surveillance activities, projects, and case investigations under Section 306 of the Public Health Service Act (42 U.S.C. 242k) is protected at the national level by an Assurance of Confidentiality (Section 308(d) of the Public Health Service Act, 42 U.S.C. 242m(d)), which prohibits disclosure of any information that could be used to directly or indirectly identify any individual on whom a record is maintained by CDC. This prohibition has led to the formulation of the following guidelines for release of HIV/AIDS case reports and supplemental data collected on such persons to which, in accepting access to data not considered public-use, I agree to adhere. These guidelines represent a balance between potential for inadvertent disclosure and the need for the CDC/DHAP-SE to be responsive to information requests having legitimate public health application. In particular, variables that identify geographic units or facilities have the potential to indirectly identify individuals.
Therefore, I will not release, either inside or outside CDC, State/Territorial, MSA, city or county specific data in any format (e.g., publications, presentations, slides, interviews) without the consent of the appropriate State or local agency, except as consistent with the format described below and presented in detail in the written documentation for the AIDS Public Information Data Set (AIDS PIDS). Specifically, in accordance with the terms of written agreements between CDC, the Council of State and Territorial Epidemiologists (CSTE), and individual State/Territorial health departments AND in accordance with the principles of the Assurance of Confidentiality for HIV/AIDS surveillance and related data authorized under Section 308d of the U.S. Public Health Service Act:
I am permitted to release national and regional tabulations, from the HIV/AIDS surveillance database in either narrative or tabular format.
For cases in adults/adolescents > 13 years of age, for MSA’s with greater than 500,000 population, I may release multiple-way cross tabulations of 14 variables using the categories and conditions listed in the current AIDS PIDS for the rectangular data file.
For any State, the District of Columbia, or MSA with greater than 500,000 population, I may release 2-way cross tabulations of 8 variables using the categories listed in the current AIDS PIDS if cell sizes are all greater than 3. If cells containing information on 3 or fewer cases are produced, I agree to either delete those cells and all summaries using those cells from the table, or insert in any cell of 3 or less, the notation “less than or equal to 3."
For any MSA with greater than 100,000 population in selected States designated in the current AIDS PIDS, I may release 2-way cross tabulations of 8 variables using the categories and conditions listed in the current AIDS PIDS if cell sizes are all greater than 3. If cells containing information on 3 or fewer cases are produced, I agree to either delete those cells and all summaries using those cells from the table, or insert in any cell of 3 or less, the notation “less than or equal to 3."
For individual counties or health districts in selected States designated in the current AIDS PIDS, I may release one-way frequencies of 3 variables ( age, race/ethnicity, and sex) subject to the small cell size restriction described above.
I understand that release of data not specifically permitted by this agreement is prohibited unless written permission is first obtained from the appropriate Branch Chief (HICSB or BCSB), Division of HIV/AIDS Prevention - Surveillance and Epidemiology.
When presenting or publishing state, city, county, or MSA-specific data in accordance with the restrictions outlined above, I will inform the appropriate state and local health departments in advance of the release of state or local data, so as to afford them the opportunity to anticipate local queries and prepare their response.
When presenting or publishing data from surveillance-related studies, investigations, or evaluations, I will adhere to the principles and guidelines outlined in this agreement.
I also agree to the following:
I will not give my access password to any person.
I will treat all data at my desk site confidentially and maintain records that could directly or indirectly identify any individual on whom CDC maintains a record in a locked file cabinet. Sensitive identifying information from special case investigations will only be maintained in a locked file cabinet in a locked room which has restricted access.
I will keep all hard copies of data runs containing small cells locked in a file cabinet when not in use, shredding them when they are no longer necessary to my analysis.
I will not produce a “back-up” data file of HIV/AIDS case surveillance data or related databases maintained by DHAP-SE.
I will not remove electronic files, records or databases from the worksite.
I will not remove hard copies of case reports, survey instruments, laboratory reports, confidential communications, or any records containing sensitive data and information or the like from the worksite.
I will not remove from the worksite tabulations or data in any format that could directly or indirectly identify any individual.
I will maintain confidentiality of records on individuals in all discussions, communications, e-mails, tabulations, presentations, and publications (and the like) by using only the minimum information necessary to describe the individual case.
I will not release data to the press or media without pre-screening of the request by the Office of Communications, NCHSTP.
I am responsible for obtaining IRB review of projects when appropriate.
User ID: __________________
Purpose of investigation (provide a brief statement):
Database(s) to be accessed:
Estimated time needed for data access/analysis:
I have read this document, “Agreement to abide by restrictions on release of data...” and the attached document “Release of CDC HIV/AIDS Surveillance and Related Data,” and I agree to abide by them. Failure to comply with this agreement may result in disciplinary action, including possible termination of employment.
Signed: __________________________________ Date: ______________________
(Requestor)
CIO, Division, Branch _______________________________
Approved: ________________________________ Date: ______________________
Chief, (HICSB/BCSB), DHAP-SE, NCHSTP or designee
Revised December, 2003
Confidentiality Security Statement Attachment 2b
RELEASE OF CDC HIV/AIDS SURVEILLANCE AND RELATED DATA
Description of the system
The HIV/AIDS Reporting System (HARS) surveillance database is composed of HIV/AIDS case reports submitted on a voluntary basis to CDC by the 50 States, the District of Columbia, U.S. dependencies and possessions, and certain independent nations in free association with the U.S.
Encrypted case reports are received electronically using a standardized reporting form and software. The data from state and local health departments are decrypted and the CDC HARS database is updated on a monthly basis to include all cases received and processed through the last day of the previous month. Identifying information on each case is deleted prior to transfer to CDC and cases are identified at the national level only by soundex code based on patient’s surname, date of birth, and a state-assigned patient identification number.
DHAP-SE HICSB and BCSB maintain a large number of databases on individuals at risk for or diagnosed with HIV infection including case reports, case investigations, related surveillance databases, surveys, and data from medical records or public health databases.
All data collected and maintained by the DHAP-SE HICSB and BCSB must be managed, presented, published and released in accordance with strict adherence to the standards for confidentiality and security consistent with the principles and guidelines for HIV and AIDS case report data. In particular, geographic and small cell data may be indirectly identifying when combined with detailed information contained in case reports, questionnaires, or from laboratory or medical records.
Restrictions on release of data
HIV/AIDS surveillance data and data from surveillance-related projects, evaluation studies and case investigations are collected under Section 306 of the Public Health Service Act (42 U.S.C. 242k) and are protected at the national level by an Assurance of Confidentiality (Section 308(d) of the Public Health Service Act, 42 U.S.C. 242 m(d)), which prohibits disclosure of any information that could be used to directly or indirectly identify individuals whose records are contained in the HARS surveillance database. This prohibition has led to the formulation of guidelines for data release. The guidelines represent a balance between the potential for inadvertent disclosure and the need for the CDC/DHAP-SE to be responsive to information requests having legitimate public health application. Guidelines for data release are described in detail in the documentation for the AIDS Public Information Data Set (AIDS PIDS). The guidelines were developed jointly by CDC and the Council of State and Territorial Epidemiologists (CSTE). Each State epidemiologist was surveyed and elected the level of geographic specificity (State, county, health district, size of MSA) at which CDC may report data on HIV/AIDS cases residing in that State. These principles and restrictions should also be applied to other data and information collected and maintained by the DHAP-SE HICSB or BCSB.
As a general rule, requests from the public, the media, and other government agencies for State/local data will be referred to the local area for reply. There are two reasons for this. First, local health departments can release their HIV/AIDS surveillance data in accordance with locally established policies and procedures. Second, the delay between the date of diagnosis and report to CDC ensures that local health department data are more current than that contained in the CDC HIV/AIDS surveillance database. However, CDC may release data to the public, for presentation in oral and written publications, and otherwise make data available for epidemiologic and public health purposes within the guidelines specified in the AIDS PIDS and described in the document “Agreement to abide by restrictions on release of data...” When publishing or presenting State/local data, CDC staff should notify the local areas in advance whenever possible. Outside the bounds of these guidelines, CDC will not release, in any format, State, county, health district, or MSA specific data without the consent of the appropriate State or local health departments.
Access to the data base
The DHAP-SE HICS and BCS Branches are charged with the responsibility of maintaining the security and confidentiality as well as the scientific integrity of the surveillance data base. Access to data beyond that available for public use is limited, through password protection, to members of DHAP-SE HICSB, BCSB, and selected members of the DHAP-SE/Statistics and Data Management Branch, their contractors and other authorized agents. In limited circumstances, CDC staff outside these groups or external project collaborators may be granted access on an as needed basis, at the discretion of the appropriate Branch Chief. External collaborators are those with whom DHAP-SE has existing cooperative agreements or contracts involving the collection or analysis of this surveillance data.. To obtain access, others outside the CDC Branches mentioned above must do the following:
Pose a specific research question.
Estimate the time required for their analysis/access.
Agree in writing to abide by DHAP/SE policies on data release and sign the “Nondisclosure agreement”, the “Request for access...”, and the “Agreement to abide by restrictions...” documents that contain the policies and guidelines for use of HIV/AIDS surveillance and related data.
Provide an outline on their proposed methodology including names of variables to be used in the analysis.
Collaborate with staff of the HIV Incidence and Case Surveillance Branch or Behavioral and Clinical Surveillance Branch in analysis, presentation, and publication of the results of their analysis. In some cases, access to national data by collaborators may be designed as part of the project protocol, and should be agreed to by all collaborators on the project.
Submit all reports, publications, presentation to DHAP-SE clearance and cross-clearance channels.
Alternatives to access to the HARS data
To reduce the burden on HICSB, BCSB, and SDMB staff, other CDC staff requesting HIV/AIDS surveillance data are encouraged to use publicly available reports, slide sets, and the AIDS PIDS. CDC staff who use HIV/AIDS Surveillance data for policy development, resource allocation, research prioritization and other public health purposes are advised to consult with HICSB or BCSB staff to ensure appropriate interpretation of the data. CDC staff who present or publish HIV/AIDS surveillance data should adhere to CDC policies for clearance and cross-clearance to ensure that data are presented and interpreted consistently and accurately.
The HIV/AIDS SURVEILLANCE Report is published annually. The report is a collection of tables and figures describing the characteristics of HIV/AIDS cases in the United States. The report includes national data on age, sex, race, and transmission category, and annual AIDS incidence by State and metropolitan statistical area (MSA) if greater than 500,000 population. This report is updated to include data reported to CDC through and December 31 annually.
DHAP-SE produces numerous supplemental reports, MMWR articles, and peer-reviewed publications. Copies can be obtained from the HICSB at (404)-639-2040, or the BCSB at (404) 639-2090.
The AIDS Public Information Data Set is distributed in microcomputer format. The dataset is updated annually and contains a record for each AIDS case reported to CDC in a single data file containing variables extracted from CDC’s national AIDS surveillance data base. The variables are formatted so as not to release patient data that could directly or indirectly identify the individual. The tables for the United States, individual States, MSAs and county or health districts contain frequency tables and cross tabulations of a small number of variables extracted from the AIDS data base. Included is one set of tables for the entire United States, one set for each state and the District of Columbia. All MSAs with 500,000 or more population are included in the data set. Selected MSAs between 100,000 and 500,000, and selected counties or health districts are included in the data set, based on the data release policies of the individual states.
DHAP/SE surveillance publications and the AIDS PIDS can be accessed through the CDC website at http://www.cdc.gov/nchstp and also through the National Prevention Information Network (NPIN) at http://www.npin.org.
The DHAP/SE HICSB and the BCSB, wishing to be responsive to specific data requests having important public health application, will consider requests for data and data analysis which cannot be responded to using production materials. For requests requiring HICSB, BCSB, or in some cases SDMB response, submission in written format is preferred to assist in ensuring an appropriate response. Due to limited resources, response to requests for data is not guaranteed and data will be supplied only if its release does not conflict with current disclosure prohibitions. Consideration will be given to verbal requests from:
The Executive Branch; Members of Congress and their staffs; senior staff from other Federal agencies; the States; associations serving the States (e.g., ASTHO, CSTE, NASTAD); other public institutions of CDC interest (e.g., The Red Cross and National Hemophilia Foundation); and selected CDC staff serving these constituencies.
The Press after screening by NCHSTP, Office of Communications. After screening, requests will be taken verbally but requesters will be encouraged to submit their queries in writing to ensure an appropriate response.
Other parties and individuals should submit requests in written format to the Chief of either the HICS or BCS Branch, or one of their designees. Due to limited resources, response cannot be guaranteed. The AIDS Public Information Data Set and published materials will be suggested as an alternative resource.
Confidentiality Security Statement Attachment 3
Safeguards for Individuals and Establishments
Against Invasions of Privacy
In accordance with Subsection (m) of the Privacy Act of 1974 (5 U.S.C. 552a) and Section 308(d) of the Public Health Service Act (42 U.S.C. 242m), the contractor is required to comply with the applicable provisions of the Privacy Act and to undertake other safeguards for individuals and establishments against invasions of privacy.
To provide these safeguards in performance of the contract, the contractor shall:
Be bound by the following assurance:
Assurance of Confidentiality
In accordance with Section 308(d) of the Public Health Service Act (42 U.S.C. 242m), the contractor assures all respondents that the confidentiality of their responses to this information request will be maintained by the contractor and CDC and that no information obtained in the course of this activity will be disclosed in a manner in which the individual or establishment is identifiable, unless the individual or establishment has consented to such disclosure, to anyone other than authorized staff of CDC.
Maintain the following safeguards to assure that confidentiality is protected by contractor’s employees and to provide for the physical security of the records:
a. After having read the above assurance of confidentiality, each employee of the contractor participating in this project is to sign the following pledge of confidentiality:
I have carefully read and understand the assurance which pertains to the confidential nature of all records to be handled in regard to this survey. As an employee of the contractor I understand that I am prohibited by law from disclosing any such confidential information which has been obtained under the terms of this contract to anyone other than authorized staff of CDC. I understand that any willful and knowing disclosure in violation of the Privacy Act of 1974 is a misdemeanor and would subject the violator to a fine of up to $5,000.
b. To preclude observation of confidential information by persons not employed on the project, the contractor shall maintain all confidential records that identify individuals or establishments or from which individuals or establishments could be identified under lock and key.
Specifically, at each site where these items are processed or maintained, all confidential records that will permit identification of individuals or establishments are to be kept in locked containers when not in use by the contractor’s employees. The keys or means of access to these containers are to be held by a limited number of the contractor’s staff at each site. When confidential records are being used in a room, admittance to the room is to be restricted to employees pledged to confidentiality and employed on this project. If at any time the contractor’s employees are absent from the room, it is to be locked.
c. The contractor and his professional staff will take steps to insure that the intent of the pledge of confidentiality is enforced at all times through appropriate qualifications standards for all personnel working on this project and through adequate training and periodic follow up procedures.
Print on the questionnaire in a clearly visible location and in clearly visible letters the following notice of the confidential treatment to be accorded the information on the questionnaire by any individual who may see it:
Confidential Information
Information contained on this form which would permit identification of any individual or establishment has been collected with a guarantee that it will be held in strict confidence by the contractor and CDC, will be used only for purposes stated in this project, and will not be disclosed or released to anyone other than authorized staff of CDC without the consent of the individual or the establishment in accordance with Section 308(d) of the Public Health Service Act (42 U.S.C.242m).
On a letter or other form that can be retained by the individual or the establishment, or on the questionnaire form itself if it is a self-administered questionnaire, inform in clear and simple terms each individual or establishment asked to supply information:
a. That the collection of the information by CDC and its contractor is authorized by Section 306 of the Public Health Service Act (42 U.S.C.242k);
b. Of the purpose or purposes for which the information is intended to be used, clearly stating that the records will be used solely for epidemiological or statistical research and reporting purposes;
c. Of the routine uses that may be made of the information, including all disclosures specified in the “Federal Register” for this system of records which may be applicable to this project;
d. That participation is voluntary and there are no penalties for declining to participate in whole or in part; and
e. That no information collected under the authority of Section 306 of the Public Health Service Act (42 U.S.C. 242k) may be used for any purpose other than the purpose for which it was supplied, and such information may not be published or released in other form if the particular individual or establishment supplying the information or described in it is identifiable to anyone other than authorized staff of CDC, unless the individual or establishment has consented to such release.
(The voluntary disclosure by the respondent of requested information after being informed of preceding paragraphs a through d is an acknowledgment of the uses and disclosures contained in paragraph c.)
Release no information from the data obtained or used under this contract to any person except authorized staff of CDC.
By a specified date, which may be no later than the date of completion of the contract, return all project data to CDC or destroy all such data, as specified by the contract.
_____________________________
(Typed/printed Name)
_____________________________
(Signature)
_____________________________
(Date)
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Sam Costa |
| File Modified | 0000-00-00 |
| File Created | 2021-01-31 |